Juniper Openstack

[Mainline-Build 2708]: IPv6- remote ip prefix is not considered for SG ipv6 rule

Bug #1540352 reported by alok kumar on 2016-02-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	Status tracked in Trunk
	Trunk	Fix Committed	Undecided	Ashok Singh	Juniper Openstack r3.0-fcs

Bug Description

I have below sg1 rules:

root@nodeg18:~# neutron security-group-rule-list
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| id | security_group | direction | protocol | remote_ip_prefix | remote_group |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| f7b5d5bd-088b-4cb2-aec0-9bde37b5ca5c | sg1 | egress | tcp | 2002:1::/64 | |
| 0e44008f-266a-4155-93e0-cf46eb70b066 | sg1 | egress | tcp | 1.1.1.0/24 | |

as per rule it should allow tcp traffic only to cidr prefixes 1.1.1.0/24 and 2002:1::/64.

this SG is attached to VM (2002:1::3) and when I try to ssh to other VM(2002:2::4) in different VN, it goes through and I see flow is created.

root@nodec12:~# flow -l | grep 2002:2::4 -A2 -B2

   412304<=>489728 2002:1::3:54602 6 (3)
                         2002:2::4:22
    (K(nh):45, Action:F, Flags:, TCP:SSrEEr, S(nh):45, Statistics:8/2087 UdpSrcPort 49521

--
(K(nh):52, Action:F, Flags:, S(nh):52, Statistics:3/288 UdpSrcPort 56796

   489728<=>412304 2002:2::4:22 6 (3)
                         2002:1::3:54602
    (K(nh):45, Action:F, Flags:, TCP:SSrEEr, S(nh):57, Statistics:7/2817 UdpSrcPort 60814

this works fine for IPv4 and does not allow traffic to cidr prefixes other than 1.1.1.0/24.

Tags: